KEYS: Improve /proc/keys

Improve /proc/keys by:

 (1) Don't attempt to summarise the payload of a negated key.  It won't have
     one.  To this end, a helper function - key_is_instantiated() has been
     added that allows the caller to find out whether the key is positively
     instantiated (as opposed to being uninstantiated or negatively
     instantiated).

 (2) Do show keys that are negative, expired or revoked rather than hiding
     them.  This requires an override flag (no_state_check) to be passed to
     search_my_process_keyrings() and keyring_search_aux() to suppress this
     check.

     Without this, keys that are possessed by the caller, but only grant
     permissions to the caller if possessed are skipped as the possession check
     fails.

     Keys that are visible due to user, group or other checks are visible with
     or without this patch.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>

1 files changed, 7 insertions, 5 deletions

diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index 930634e45149..6c0480db8885 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -331,6 +331,7 @@ void key_fsgid_changed(struct task_struct *tsk)
 key_ref_t search_my_process_keyrings(struct key_type *type,
                                      const void *description,
                                      key_match_func_t match,
+                                     bool no_state_check,
                                      const struct cred *cred)
 {
         key_ref_t key_ref, ret, err;
@@ -350,7 +351,7 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
         if (cred->thread_keyring) {
                 key_ref = keyring_search_aux(
                         make_key_ref(cred->thread_keyring, 1),
-                        cred, type, description, match);
+                        cred, type, description, match, no_state_check);
                 if (!IS_ERR(key_ref))
                         goto found;
 
@@ -371,7 +372,7 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
         if (cred->tgcred->process_keyring) {
                 key_ref = keyring_search_aux(
                         make_key_ref(cred->tgcred->process_keyring, 1),
-                        cred, type, description, match);
+                        cred, type, description, match, no_state_check);
                 if (!IS_ERR(key_ref))
                         goto found;
 
@@ -395,7 +396,7 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
                         make_key_ref(rcu_dereference(
                                              cred->tgcred->session_keyring),
                                      1),
-                        cred, type, description, match);
+                        cred, type, description, match, no_state_check);
                 rcu_read_unlock();
 
                 if (!IS_ERR(key_ref))
@@ -417,7 +418,7 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
         else if (cred->user->session_keyring) {
                 key_ref = keyring_search_aux(
                         make_key_ref(cred->user->session_keyring, 1),
-                        cred, type, description, match);
+                        cred, type, description, match, no_state_check);
                 if (!IS_ERR(key_ref))
                         goto found;
 
@@ -459,7 +460,8 @@ key_ref_t search_process_keyrings(struct key_type *type,
 
         might_sleep();
 
-        key_ref = search_my_process_keyrings(type, description, match, cred);
+        key_ref = search_my_process_keyrings(type, description, match,
+                                             false, cred);
         if (!IS_ERR(key_ref))
                 goto found;
         err = key_ref;